CVE-2015-5351

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.xbefore 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establishsessions and send CSRF tokens for arbitrary new requests, which allowsremote attackers to bypass a CSRF protection mechanism by using a token.